[Puppet Users] Re: Custom policy executable

Thu, 08 May 2014 03:22:02 -0700 

I'm doing the same thing as you.

In fact, your post is what I used to create my own policy.  I couldn't find 
any other examples anywhere, so thank you!

I'm using ruby instead of sh as my executable:

#!/bin/ruby

exit(1) if ARGV.size == 0

host        = ARGV[0]
custom_attr = `openssl req -noout -text -in 
"/var/lib/puppet/ssl/ca/requests/#{host}.pem" | grep "challengePassword" | 
awk -F ":" '{print$2}'`

exit(0) if custom_attr.strip == 'foo'
exit(1)




On Monday, February 17, 2014 6:59:06 AM UTC-8, George Brown wrote:
>
> So After re-reading the docs 
> http://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html#policy-executable-api
>
> I've made the following modification which works.
>
>  #!/bin/bash
>  
> HOST=$1
> CUSTOM_ATTR=$(openssl req -noout -text -in 
> "/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challengePassword" | 
> awk -F ":" '{print$2}')
>  
> if [[ "$CUSTOM_ATTR" == "foo" ]]
> then
>   exit 0
> else
>   exit 1
> fi
>
> I'd still be interested to see what others are doing with policy based 
> auto signing though.
>
> On Monday, February 17, 2014 3:20:50 PM UTC+1, George Brown wrote:
>>
>> Hi,
>>
>> I'm trying to create an autosign policy which checks for a custom 
>> attribute in the CSR but I'm having some issue with the master not signing 
>> the request.
>>
>> My client has the following in /etc/puppet/csr_attributes.yaml
>>
>> custom_attributes:
>>   1.2.840.113549.1.9.7: foo
>>
>>
>> My policy is a simple bash script, in this case checking for foo
>>
>> #!/bin/bash
>>  
>> CUSTOM_ATTR=$(echo "$(cat)" | grep "challengePassword" | awk -F ":" 
>> '{print$2}')
>>  
>> if [[ "$CUSTOM_ATTR" == "foo" ]]
>> then
>>    exit 0
>> else
>>    exit 1
>> fi
>>     
>> I had tested with the following, I'm guessing the issue is with my script 
>> not reading in the CSR from puppet? If anyone has any examples of policies 
>> they have created I would love to see them (this seems to be lacking in the 
>> puppet documentation).
>>
>> sudo openssl req -noout -text -in  
>> /var/lib/puppet/ssl/ca/requests/mynode.pem | /etc/puppet/autosign.sh; echo 
>> $? 
>> 0
>>
>> Many thanks,
>> George
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8ed24552-e248-4259-8919-316c20d619cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to